x509 extensions¶
This page provides a list of supported TLS extensions. They can be selected in the admin interface or via the command line. Please see Override extensions for more information on how to set these extensions in the command line.
keyUsage¶
The keyUsage extension defines the basic purpose of the certificate. It is defined in RFC5280, section
4.2.1.3. The extension is usually defined as critical.
| Name | Used for |
|---|---|
| cRLSign | |
| dataEncipherment | email encryption |
| decipherOnly | |
| digitalSignature | TLS connections (client and server), email and code signing, OCSP responder |
| encipherOnly | |
| keyAgreement | TLS server connections |
| keyCertSign | |
| keyEncipherment | TLS server connections, email encryption, OCSP responder |
| nonRepudiation | OCSP responder |
Currently, the default profiles (see CA_PROFILES setting) use these values:
| value | client | server | webserver | enduser | ocsp |
|---|---|---|---|---|---|
| cRLSign | ✗ | ✗ | ✗ | ✗ | ✗ |
| dataEncipherment | ✗ | ✗ | ✗ | ✓ | ✗ |
| decipherOnly | ✗ | ✗ | ✗ | ✗ | ✗ |
| digitalSignature | ✓ | ✓ | ✓ | ✓ | ✓ |
| encipherOnly | ✗ | ✗ | ✗ | ✗ | ✗ |
| keyAgreement | ✗ | ✓ | ✓ | ✗ | ✗ |
| keyCertSign | ✗ | ✗ | ✗ | ✗ | ✗ |
| keyEncipherment | ✗ | ✓ | ✓ | ✓ | ✓ |
| nonRepudiation | ✗ | ✗ | ✗ | ✗ | ✓ |
extendedKeyUsage¶
The extendedKeyUsage extension refines the keyUsage extension and is defined in RFC5280, section
4.2.1.12. The extension is usually not defined as
critical.
| Name | Used for |
|---|---|
| serverAuth | TLS server connections |
| clientAuth | TLS client connections |
| codeSigning | Code signing |
| emailProtection | Email signing/encryption |
| timeStamping | |
| OCSPSigning | Running an OCSP responder |
| smartcardLogon | Required for user certificates on smartcards for PKINIT logon on Windows |
| msKDC | Required for Domain Controller certificates to authorise them for PKINIT logon on Windows |
Currently, the default profiles (see CA_PROFILES setting) use these values:
| value | client | server | webserver | enduser | ocsp |
|---|---|---|---|---|---|
| serverAuth | ✗ | ✓ | ✓ | ✓ | ✗ |
| clientAuth | ✓ | ✓ | ✗ | ✓ | ✗ |
| codeSigning | ✗ | ✗ | ✗ | ✓ | ✗ |
| emailProtection | ✗ | ✗ | ✗ | ✗ | ✗ |
| timeStamping | ✗ | ✗ | ✗ | ✗ | ✗ |
| OCSPSigning | ✗ | ✗ | ✗ | ✗ | ✓ |
| smartcardLogon | ✗ | ✗ | ✗ | ✗ | ✗ |
| msKDC | ✗ | ✗ | ✗ | ✗ | ✗ |
tlsFeature¶
The TLSFeature extension is defined in RFC7633. This extension
should not be marked as critical.
| Name | Description |
|---|---|
| OCSPMustStaple | TLS connections must include a stapled OCSP response, defined in RFC6066. |
| MultipleCertStatusRequest | Not commonly used, defined in RFC6961. |
The use of this extension is currently discouraged. Current OCSP stapling implementation are still poor, making OCSPMustStaple a dangerous extension.